cryptography

Security researchers have busted the encryption in several popular Crucial and Samsung SSDs

Posted by | cryptography, disk encryption, encryption, Gadgets, hardware, open source software, Samsung Electronics, Security, solid state drive | No Comments

Researchers at Radboud University have found critical security flaws in several popular Crucial and Samsung solid state drives (SSDs), which they say can be easily exploited to recover encrypted data without knowing the password.

The researchers, who detailed their findings in a new paper out Monday, reverse engineered the firmware of several drives to find a “pattern of critical issues” across the device makers.

In the case of one drive, the master password used to decrypt the drive’s data was just an empty string and could be easily exploiting by flipping a single bit in the drive’s memory. Another drive could be unlocked with “any password” by crippling the drive’s password validation checks.

That wouldn’t be much of a problem if an affected drive also used software encryption to secure its data. But the researchers found that in the case of Windows computers, often the default policy for BitLocker’s software-based drive encryption is to trust the drive — and therefore rely entirely on a device’s hardware encryption to protect the data. Yet, as the researchers found, if the hardware encryption is buggy, BitLocker isn’t doing much to prevent data theft.

In other words, users “should not rely solely on hardware encryption as offered by SSDs for confidentiality,” the researchers said.

Alan Woodward, a professor at the University of Surrey, said that the greatest risk to users is the drive’s security “failing silently.”

“You might think you’ve done the right thing enabling BitLocker but then a third-party fault undermines your security, but you never know and never would know,” he said.

Matthew Green, a cryptography professor at Johns Hopkins, described the BitLocker flaw in a tweet as “like jumping out of a plane with an umbrella instead of a parachute.”

The researchers said that their findings are not yet finalized — pending a peer review. But the research was made public after disclosing the bugs to the drive makers in April.

Crucial’s MX100, MX200 and MX300 drives, Samsung’s T3 and T5 USB external disks and Samsung 840 EVO and 850 EVO internal hard disks are known to be affected, but the researchers warned that many other drives may also be at risk.

The researchers criticized the device makers’ proprietary and closed-source cryptography that they said — and proved — is “often shown to be much weaker in practice” than their open-source and auditable cryptographic libraries. “Manufacturers that take security seriously should publish their crypto schemes and corresponding code so that security claims can be independently verified,” they wrote.

The researchers recommend using software-based encryption, like the open-source software VeraCrypt.

In an advisory, Samsung also recommended that users install encryption software to prevent any “potential breach of self-encrypting SSDs.” Crucial’s owner Micron is said to have a fix on the way, according to an advisory by the Netherlands’ National Cyber Security Center, but did not say when.

Micron did not immediately respond to a request for comment.

Powered by WPeMatico

What happens when hackers steal your SIM? You learn to keep your crypto offline

Posted by | Apps, Bank, blockchain, business, coinbase, cryptography, cybercrime, economy, identity theft, mining, Mobile, social engineering, T-Mobile, TC | No Comments

A year ago I felt a panic that still reverberates in me today. Hackers swapped my T-Mobile SIM card without my approval and methodically shut down access to most of my accounts and began reaching out to my Facebook friends asking to borrow crypto. Their social engineering tactics, to be clear, were laughable but they could have been catastrophic if my friends were less savvy.

Flash forward a year and the same thing happened to me again – my LTE coverage winked out at about 9pm and it appeared that my phone was disconnected from the network. Panicked, I rushed to my computer to try to salvage everything I could before more damage occurred. It was a false alarm but my pulse went up and I broke out in a cold sweat. I had dealt with this once before and didn’t want to deal with it again.

Sadly, I probably will. And you will, too. The SIM card swap hack is still alive and well and points to one and only one solution: keeping your crypto (and almost your entire life) offline.

Trust No Carrier

Stories about massive SIM-based hacks are all over. Most recently a crypto PR rep and investor, Michael Terpin, lost $24 million to hackers who swapped his AT&T SIM. Terpin is suing the carrier for $224 million. This move, which could set a frightening precedent for carriers, accuses AT&T of “fraud and gross negligence.”

From Krebs:

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

While we can wonder in disbelief at a crypto investor who keeps his cash in an online wallet secured by text message, how many other services do we use that depend on emails or text messages, two vectors easily hackable by SIM spoofing attacks? How many of us would be resistant to the techniques that nabbed Terpin?

Another crypto owner, Namek Zu’bi, lost access to his Coinbase account after hackers swapped his SIM, logged into his account, and changed his email while attempting direct debits to his bank account.

“When the hackers took over my account they attempted direct debits into the account. But because I blocked my bank accounts before they could it seems there are bank chargebacks on that account. So Coinbase is essentially telling me sorry you can’t recover your account and we can’t help you but if you do want to use the account you owe $3K in bank chargebacks,” he said.

Now Zu’bi is facing a different issue: Coinbase is accusing him of being $3,000 in arrears and will not give him access to his account because he cannot reply from the hacker’s email.

“I tried to work with coinbase hotline who is supposed to help with this but they were clueless even after I told them that the hackerchanged email address on my original account and then created a new account with my email address. Since then I’ve been waiting for a ‘specialist’ to email me (was supposed to be 4 business days it’s been 8 days) and I’m still locked out of my account because Coinbase support can’t verify me,” he said.

It has been a frustrating ride.

“As an avid supporter and investor in crypto it baffles me how one of the market leaders who just supposedly launched institutional grade custody solutions can barely deal with a basic account take-over fraud,” Zu’bi said.

How do you protect yourself?

I’ve been using Trezor hardware wallets for a while, storing them in safe places outside of my home and maintaining a separate record of the seeds in another location. I have very little crypto but even for a fraction of a few BTC it just makes sense to practice safe storage. Ultimately, if you own crypto you are now your own bank. That you would trust anyone – including a fiat bank – to keep your digital currency safe is deeply delusional. Heck, I barely trust Trezor and they seem like the only solution for safe storage right now.

When I was first hacked I posted recommendations by crypto exchange Kraken. They are still applicable today:

Call your telco and:

  • Set a passcode/PIN on your account

    • Make sure it applies to ALL account changes
    • Make sure it applies to all numbers on the account
    • Ask them what happens if you forget the passcode
      • Ask them what happens if you lose that too
  • Institute a port freeze

  • Institute a SIM lock

  • Add a high-risk flag

  • Close your online web-based management account

  • Block future registration to online management system

  • Hack yo’ self

    • See what information they will leak

    • See what account changes you can make

They also recommend changing your telco email to something wildly inappropriate and using a burner phone or Google Voice number that is completely disconnected from your regular accounts as a sort of blind for your two factor texts and alerts.

Sadly, doing all of these things is quite difficult. Further, carriers don’t make it easy. In May a 27-year-old man named Paul Rosenzweig fell victim to a SIM-swapping hack even though he had SIM lock installed on his account. A rogue T-Mobile employee bypassed the security, resulting in the loss of a unique three character Twitter and Snapchat account.

Ultimately nothing is secure. The bottom line is simple: if you’re in crypto expect to be hacked and expect it to be painful and frustrating. What you do now – setting up real two-factory security, offloading your crypto onto physical hardware, making diligent backups, and protecting your keys – will make things far better for you in the long run. Ultimately, you don’t want to wake up one morning with your phone off and all of your crypto siphoned off into the pocket of a college kid like Joel Ortiz, a hacker who is now facing jail time for “13 counts of identity theft, 13 counts of hacking, and two counts of grand theft.” Sadly, none of the crypto he stole has surfaced after his arrest.

Powered by WPeMatico

Researchers create a light-based key distribution system for quantum encryption

Posted by | applied mathematics, cryptography, Duke University, Emerging-Technologies, Gadgets, quantum computing, quantum cryptography, TC | No Comments

 Researchers at Duke University, OSU and Oak Ridge National Laboratory have solved one of the biggest problems with new forms of quantum encryption: quantum key distribution. QKD is the process of distributing keys during a transmission and in a way that will tell both sides of the conversation that someone is eavesdropping. The new system, which uses lasers to transmit multiple bits at once,… Read More

Powered by WPeMatico

Tortuga Logic raises $2 million to build chip-level security systems

Posted by | computer security, computing, cryptography, Cyberwarfare, Gadgets, national security, Startups, TC, vulnerability | No Comments

 Tortuga Logic has raised $2 million in seed funding from Eclipse Ventures to help in their effort to maintain chip-level system security. Based in Palo Alto, the company plans to use the cash to build products that will find “lurking vulnerabilities” on computer hardware. The founders, Dr. Jason Oberg, Dr. Jonathan Valamehr, Professor Ryan Kastner of UC San Diego, and Professor… Read More

Powered by WPeMatico

Security experts have cloned all seven TSA master keys

Posted by | cryptography, Gadgets, key, lock, Security, TC | No Comments

tsa-master_keys-travelsentry_xmas-100673377-primary.idge_-906x603@2x Key escrow — the process of keeping a set of keys for yourself “just in case” — has always been the U.S. government’s modus operandi when it comes to security. From the disastrous Clipper chip to today, the government has always wanted a back door into encryption and security. That plan backfired for the TSA.
The TSA, as you’ll remember, offers a set of… Read More

Powered by WPeMatico

NIST declares the age of SMS-based 2-factor authentication over

Posted by | cryptography, Gadgets, Government, Mobile, nist, regulations, Security, SMS, standards, TC, two factor authentication | No Comments

nix-2fa 2-factor authentication is a great thing to have, and more and more services are making it a standard feature. But one of the go-to methods for sending 2FA notifications, SMS, is being left in the dust by the National Institute of Standards and Technology. Read More

Powered by WPeMatico

MIT’s anonymous online communications protocol Riffle could beat Tor at its own game

Posted by | anonymity, cryptography, encryption, Gadgets, MIT, Security, TC, tor | No Comments

Internet security concept open red padlock virus or unsecured with threat of hacking Tor has been the go-to for anonymous communication online for years now — and that has made it one of the juiciest targets possible to the likes of the NSA and FBI. A new anonymizing protocol from MIT may prove more resilient against such determined and deep-pocketed attackers. Read More

Powered by WPeMatico

Qualcomm says it issued patch for Android encryption flaw over a year ago

Posted by | Android, cryptography, disk encryption, encryption, Mobile, Qualcomm, Security, TC | No Comments

android-unlocked Cracking encryption is a topic of perpetual fascination. Congress has made several efforts to legislate it. The FBI tried to force Apple to do it. New messaging apps constantly debut with claims about strong encryption, and controversy bubbles when they neglect it. Read More

Powered by WPeMatico

Cryptography pioneer Marty Hellman calls for compassion in personal, cyber, and international threats

Posted by | cryptography, Gadgets, martin hellman, Politics, privacy, Security, TC, turing award | No Comments

hellman2 It’s been a long time since Marty Hellman and his collaborator Whitfield Diffie ushered in a new era of private communication with their invention of public key cryptography — but better late than never when it comes to winning the Turing Award, referred to by some as the Pulitzer for technology. I talked with Hellman about tech, global politics, and keeping relationships alive. Read More

Powered by WPeMatico

Why Apple Is Right To Reject The FBI’s Push To Brute Force iPhone Security

Posted by | 5c, All Writs Act, Apple, apple inc, computer security, cryptography, Edward Snowden, encryption, Europe, FBI, Government, iOS, iPhone, Mobile, Opinion, privacy, Security, smartphones, TC | No Comments

A customer tries out the new Apple iPhone 6S at an Apple store on Chicago's Magnificent Mile, Friday, Sept. 25, 2015, in Chicago. (AP Photo/Kiichiro Sato) Apple is under pressure from the FBI to backdoor iPhone security. But how will any technology company be able to offer trusted services to consumers if government-mandated backdoors are being forced upon them? Read More

Powered by WPeMatico